Django 1.2 Cross-site Scripting Bug Quashed

A significant security bug was found and fixed in 1.2.2 involving cookies and cross-site scripting attacks. Here's how the announcement described it.

"As of the 1.2 release, the core Django framework includes a system, enabled by default, for detecting and preventing cross-site request forgery (CSRF) attacks against Django-powered applications. Previous Django releases provided a different, optionally-enabled system for the same purpose.

The Django 1.2 CSRF protection system involves the generation of a random token, inserted as a hidden field in outgoing forms. The same value is also set in a cookie, and the cookie value and form value are compared on submission.

The provided template tag for inserting the CSRF token into forms -- {% csrf_token %} -- explicitly trusts the cookie value, and displays it as-is. Thus, an attacker who is able to tamper with the value of the CSRF cookie can cause arbitrary content to be inserted, unescaped, into the outgoing HTML of the form, enabling cross-site scripting (XSS) attacks."

But before you upgrade to 1.2.2, the most current release is now 1.2.3, go with that one instead. The 1.2.2 security fix release broke some forms and the packaging manifest was incomplete. You can download it here.